CVE-2018-16889

CWE-532 — Log File Information Exposure CWE-20 — Improper Input Validation CWE-200 — Information Exposure CWE-312 — Cleartext Storage of Sensitive Info CWE-53810 documents8 sources

Severity

7.5HIGH

EPSS

0.1%

top 79.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ceph THE Ceph Project Ceph

Timeline

PublishedJan 28

Latest updateMay 13

Description

Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Debianceph< 12.2.11+dfsg1-1+3

▶NVDredhat/ceph13.2.4

▶CVEListV5the_ceph_project/cephup to v13.2.4

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-2xfm-mgc4-j8fx: Ceph does not properly sanitize encryption keys in debug logging for v4 auth↗2022-05-13

▶

OSV

ceph vulnerabilities↗2019-06-25

▶

CVEList

CVE-2018-16889: Ceph does not properly sanitize encryption keys in debug logging for v4 auth↗2019-01-28

▶

OSV

CVE-2018-16889: Ceph does not properly sanitize encryption keys in debug logging for v4 auth↗2019-01-28

▶

📋Vendor Advisories

Ubuntu

Ceph vulnerabilities↗2019-06-25

▶

Red Hat

ceph: debug logging for v4 auth does not sanitize encryption keys↗2019-01-10

▶

Debian

CVE-2018-16889: ceph - Ceph does not properly sanitize encryption keys in debug logging for v4 auth. Th...↗2018

▶

💬Community

Bugzilla

CVE-2018-16889 ceph: debug logging for v4 auth does not sanitize encryption keys [fedora-all]↗2019-01-11

▶

Bugzilla

CVE-2018-16889 ceph: debug logging for v4 auth does not sanitize encryption keys↗2019-01-11

▶